porkadot 0.23.0 → 0.25.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (48) hide show
  1. checksums.yaml +4 -4
  2. data/hack/metallb/crds/kustomization.yaml +5 -0
  3. data/hack/metallb/exclude-l2-config.yaml +8 -0
  4. data/hack/metallb/kustomization.yaml +10 -0
  5. data/hack/update-kubelet-cert-approver.sh +6 -0
  6. data/hack/update-metallb.sh +7 -0
  7. data/lib/porkadot/assets/bootstrap/manifests/kube-apiserver.bootstrap.yaml.erb +1 -1
  8. data/lib/porkadot/assets/etcd/etcd-server.yaml.erb +17 -9
  9. data/lib/porkadot/assets/etcd/etcd.env.erb +4 -0
  10. data/lib/porkadot/assets/etcd/install.sh.erb +1 -0
  11. data/lib/porkadot/assets/etcd.rb +1 -0
  12. data/lib/porkadot/assets/kubelet/config.yaml.erb +1 -39
  13. data/lib/porkadot/assets/kubelet/initiatorname.iscsi.erb +1 -0
  14. data/lib/porkadot/assets/kubelet/kubelet.service.erb +2 -6
  15. data/lib/porkadot/assets/kubelet/metadata.json.erb +5 -0
  16. data/lib/porkadot/assets/{kubelet → kubelet-default}/install-deps.sh.erb +3 -1
  17. data/lib/porkadot/assets/{kubelet → kubelet-default}/install-pkgs.sh.erb +1 -3
  18. data/lib/porkadot/assets/kubelet-default/install.sh.erb +22 -7
  19. data/lib/porkadot/assets/kubelet-default/setup-containerd.sh.erb +22 -0
  20. data/lib/porkadot/assets/kubelet-default/setup-node.sh.erb +16 -0
  21. data/lib/porkadot/assets/kubelet.rb +14 -12
  22. data/lib/porkadot/assets/kubernetes/install.sh.erb +3 -1
  23. data/lib/porkadot/assets/kubernetes/manifests/addons/coredns/coredns.yaml.erb +1 -1
  24. data/lib/porkadot/assets/kubernetes/manifests/addons/coredns/dns-horizontal-autoscaler.yaml.erb +1 -1
  25. data/lib/porkadot/assets/kubernetes/manifests/addons/flannel/flannel.yaml.erb +12 -51
  26. data/lib/porkadot/assets/kubernetes/manifests/addons/kubelet-serving-cert-approver/kustomization.yaml.erb +3 -0
  27. data/lib/porkadot/assets/kubernetes/manifests/addons/kubelet-serving-cert-approver/src.yaml.erb +210 -0
  28. data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/000-metallb.yaml.erb +3 -1
  29. data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/crds.yaml +1272 -0
  30. data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.config.yaml.erb +1 -12
  31. data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.yaml.erb +507 -252
  32. data/lib/porkadot/assets/kubernetes/manifests/kube-apiserver.yaml.erb +4 -1
  33. data/lib/porkadot/assets/kubernetes/manifests/kube-controller-manager.yaml.erb +3 -0
  34. data/lib/porkadot/assets/kubernetes/manifests/kube-scheduler.yaml.erb +3 -1
  35. data/lib/porkadot/assets/kubernetes.rb +22 -1
  36. data/lib/porkadot/config.rb +1 -1
  37. data/lib/porkadot/configs/addons.rb +4 -0
  38. data/lib/porkadot/configs/etcd.rb +9 -0
  39. data/lib/porkadot/configs/kubelet.rb +25 -7
  40. data/lib/porkadot/default.yaml +17 -15
  41. data/lib/porkadot/install/bootstrap.rb +1 -1
  42. data/lib/porkadot/install/kubelet.rb +24 -40
  43. data/lib/porkadot/version.rb +1 -1
  44. data/lib/porkadot.rb +1 -0
  45. metadata +17 -7
  46. data/lib/porkadot/assets/kubelet/install.sh.erb +0 -35
  47. data/lib/porkadot/assets/kubelet/setup-containerd.sh.erb +0 -17
  48. data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.yaml +0 -480
data/lib/porkadot/assets/kubernetes/manifests/addons/kubelet-serving-cert-approver/src.yaml.erb ADDED
@@ -0,0 +1,210 @@
1
+ apiVersion: v1
2
+ kind: Namespace
3
+ metadata:
4
+ labels:
5
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
6
+ app.kubernetes.io/name: kubelet-serving-cert-approver
7
+ pod-security.kubernetes.io/audit: restricted
8
+ pod-security.kubernetes.io/enforce: restricted
9
+ pod-security.kubernetes.io/warn: restricted
10
+ name: kubelet-serving-cert-approver
11
+ ---
12
+ apiVersion: v1
13
+ kind: ServiceAccount
14
+ metadata:
15
+ labels:
16
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
17
+ app.kubernetes.io/name: kubelet-serving-cert-approver
18
+ name: kubelet-serving-cert-approver
19
+ namespace: kubelet-serving-cert-approver
20
+ ---
21
+ apiVersion: rbac.authorization.k8s.io/v1
22
+ kind: ClusterRole
23
+ metadata:
24
+ labels:
25
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
26
+ app.kubernetes.io/name: kubelet-serving-cert-approver
27
+ name: certificates:kubelet-serving-cert-approver
28
+ rules:
29
+ - apiGroups:
30
+ - certificates.k8s.io
31
+ resources:
32
+ - certificatesigningrequests
33
+ verbs:
34
+ - get
35
+ - list
36
+ - watch
37
+ - apiGroups:
38
+ - certificates.k8s.io
39
+ resources:
40
+ - certificatesigningrequests/approval
41
+ verbs:
42
+ - update
43
+ - apiGroups:
44
+ - authorization.k8s.io
45
+ resources:
46
+ - subjectaccessreviews
47
+ verbs:
48
+ - create
49
+ - apiGroups:
50
+ - certificates.k8s.io
51
+ resourceNames:
52
+ - kubernetes.io/kubelet-serving
53
+ resources:
54
+ - signers
55
+ verbs:
56
+ - approve
57
+ ---
58
+ apiVersion: rbac.authorization.k8s.io/v1
59
+ kind: ClusterRole
60
+ metadata:
61
+ labels:
62
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
63
+ app.kubernetes.io/name: kubelet-serving-cert-approver
64
+ name: events:kubelet-serving-cert-approver
65
+ rules:
66
+ - apiGroups:
67
+ - ""
68
+ resources:
69
+ - events
70
+ verbs:
71
+ - create
72
+ - patch
73
+ ---
74
+ apiVersion: rbac.authorization.k8s.io/v1
75
+ kind: RoleBinding
76
+ metadata:
77
+ labels:
78
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
79
+ app.kubernetes.io/name: kubelet-serving-cert-approver
80
+ name: events:kubelet-serving-cert-approver
81
+ namespace: default
82
+ roleRef:
83
+ apiGroup: rbac.authorization.k8s.io
84
+ kind: ClusterRole
85
+ name: events:kubelet-serving-cert-approver
86
+ subjects:
87
+ - kind: ServiceAccount
88
+ name: kubelet-serving-cert-approver
89
+ namespace: kubelet-serving-cert-approver
90
+ ---
91
+ apiVersion: rbac.authorization.k8s.io/v1
92
+ kind: ClusterRoleBinding
93
+ metadata:
94
+ labels:
95
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
96
+ app.kubernetes.io/name: kubelet-serving-cert-approver
97
+ name: kubelet-serving-cert-approver
98
+ roleRef:
99
+ apiGroup: rbac.authorization.k8s.io
100
+ kind: ClusterRole
101
+ name: certificates:kubelet-serving-cert-approver
102
+ subjects:
103
+ - kind: ServiceAccount
104
+ name: kubelet-serving-cert-approver
105
+ namespace: kubelet-serving-cert-approver
106
+ ---
107
+ apiVersion: v1
108
+ kind: Service
109
+ metadata:
110
+ labels:
111
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
112
+ app.kubernetes.io/name: kubelet-serving-cert-approver
113
+ name: kubelet-serving-cert-approver
114
+ namespace: kubelet-serving-cert-approver
115
+ spec:
116
+ ports:
117
+ - name: metrics
118
+ port: 9090
119
+ protocol: TCP
120
+ targetPort: metrics
121
+ selector:
122
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
123
+ app.kubernetes.io/name: kubelet-serving-cert-approver
124
+ ---
125
+ apiVersion: apps/v1
126
+ kind: Deployment
127
+ metadata:
128
+ labels:
129
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
130
+ app.kubernetes.io/name: kubelet-serving-cert-approver
131
+ name: kubelet-serving-cert-approver
132
+ namespace: kubelet-serving-cert-approver
133
+ spec:
134
+ replicas: 1
135
+ selector:
136
+ matchLabels:
137
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
138
+ app.kubernetes.io/name: kubelet-serving-cert-approver
139
+ template:
140
+ metadata:
141
+ labels:
142
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
143
+ app.kubernetes.io/name: kubelet-serving-cert-approver
144
+ spec:
145
+ affinity:
146
+ nodeAffinity:
147
+ preferredDuringSchedulingIgnoredDuringExecution:
148
+ - preference:
149
+ matchExpressions:
150
+ - key: node-role.kubernetes.io/master
151
+ operator: DoesNotExist
152
+ - key: node-role.kubernetes.io/control-plane
153
+ operator: DoesNotExist
154
+ weight: 100
155
+ containers:
156
+ - args:
157
+ - serve
158
+ env:
159
+ - name: NAMESPACE
160
+ valueFrom:
161
+ fieldRef:
162
+ fieldPath: metadata.namespace
163
+ image: ghcr.io/alex1989hu/kubelet-serving-cert-approver:main
164
+ imagePullPolicy: Always
165
+ livenessProbe:
166
+ httpGet:
167
+ path: /healthz
168
+ port: health
169
+ initialDelaySeconds: 6
170
+ name: cert-approver
171
+ ports:
172
+ - containerPort: 8080
173
+ name: health
174
+ - containerPort: 9090
175
+ name: metrics
176
+ readinessProbe:
177
+ httpGet:
178
+ path: /readyz
179
+ port: health
180
+ initialDelaySeconds: 3
181
+ resources:
182
+ limits:
183
+ cpu: 250m
184
+ memory: 32Mi
185
+ requests:
186
+ cpu: 10m
187
+ memory: 16Mi
188
+ securityContext:
189
+ allowPrivilegeEscalation: false
190
+ capabilities:
191
+ drop:
192
+ - ALL
193
+ privileged: false
194
+ readOnlyRootFilesystem: true
195
+ runAsNonRoot: true
196
+ priorityClassName: system-cluster-critical
197
+ securityContext:
198
+ fsGroup: 65534
199
+ runAsGroup: 65534
200
+ runAsUser: 65534
201
+ seccompProfile:
202
+ type: RuntimeDefault
203
+ serviceAccountName: kubelet-serving-cert-approver
204
+ tolerations:
205
+ - effect: NoSchedule
206
+ key: node-role.kubernetes.io/master
207
+ operator: Exists
208
+ - effect: NoSchedule
209
+ key: node-role.kubernetes.io/control-plane
210
+ operator: Exists
data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/000-metallb.yaml.erb CHANGED
@@ -3,5 +3,7 @@ kind: Namespace
3
3
  metadata:
4
4
  labels:
5
5
  app: metallb
6
+ pod-security.kubernetes.io/enforce: privileged
7
+ pod-security.kubernetes.io/audit: privileged
8
+ pod-security.kubernetes.io/warn: privileged
6
9
  name: metallb-system
7
-